Keep up to date with our blog articles, latest news and industry developments. See below for the latest posts or use the category listings to hone your search for stories of interest.
Transferring personal data to Japan: ‘White List’ membership looking like a reality
White List status would assist Japanese companies that sell services and goods into, or employ staff in, the EEA.
In a joint statement, the EU Commissioner for Justice and a Commissioner of Japan’s Personal Information Protection Commission confirmed on 3 July 2017 that their work towards finding an adequate level of protection to facilitate smooth and mutual data flows between the EU (European Union) and Japan were on track for reaching a decision in 2018.
If the EU Commission (Commission) finds that Japan does offer an adequate level of protection of personal data, Japan will join the ‘White List’ of countries (Recognised Countries) to which personal data can be transferred from the European Economic Area (EEA) without extra protections needing to be put in place by the “data controller” organisation which is exporting the data.
Under the General Data Protection Regulation (GDPR), which will come into force in May 2018, the Commission can adopt an adequacy decision with regard to a non-EU country where specific criteria are met. These criteria include ensuring: an adequate level of protection essentially equivalent to that ensured within the EU; effective independent data protection supervision; enforceable rights of data subjects and effective administrative and judicial redress.
The current Recognised Countries include: Andorra; Argentina; Canada; Uruguay; Faroe Islands; Guernsey; Isle of Man; Israel; Jersey; New Zealand and Switzerland. The United States is also considered to provide adequate protection under the EU-US Privacy Shield.
The EU Commission announced in January 2017 that they would also be entering into discussions with South Korea and considering other countries such as India and Latin American territories with the hope of adopting further adequacy decisions.
At the beginning of the year, the EU Commission announced that they would be working together with Japan with the aim of reaching an adequacy decision, however many thought that these discussion would be prolonged due to the substantial differences between the GDPR and Japan’s new Act on the Protection of Personal Information.
Nevertheless, it appears that Commissioners are determined for a decision to be made in order to remove barriers to personal data transfers between the EEA and Japan. This work comes at the same time as the EU and Japan have been progressing their efforts to reach a reciprocal free trade agreement, which culminated on 6 July 2017 with an announcement that such an agreement had been reached in principle.
From our own longstanding experience of advising a wide range of Japanese companies on approaches for lawfully transferring personal data outside the EEA, it is clear that an adequacy decision would alleviate a significant compliance hurdle. This would benefit not only Japanese businesses offering goods, services and digital content to the EU but also for Japanese multinational companies which employ staff in the EEA and wish to centralise their global HR systems in Japan.
This blog was written by Amelia Day, Trainee Solicitor at White & Black.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.